Skip to content

Commit

Permalink
Remove gcp creds from state (#1814)
Browse files Browse the repository at this point in the history 
fixes #1759

Reverts #1715 and
#1691.

The TF providers was already picking up credentials from the env var
before #1691. We have no reason
to store these in the state.

Note that this might break users who depend on the the stored
credentials for authentication. I think this is intended and they can
set up an env var or explicitly configure the provider to store the
credentials.
  • Loading branch information
@VenelinMartinov
VenelinMartinov committed Mar 11, 2024
1 parent 452bcce commit 6918cf0
Show file tree
Hide file tree
Showing 14 changed files with 50 additions and 127 deletions.
37 changes: 5 additions & 32 deletions provider/cmd/pulumi-resource-gcp/schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,13 +174,7 @@
"type": "string"
},
"accessToken": {
"type": "string",
"defaultInfo": {
"environment": [
"GOOGLE_OAUTH_ACCESS_TOKEN"
]
},
"secret": true
"type": "string"
},
"activeDirectoryCustomEndpoint": {
"type": "string"
Expand Down Expand Up @@ -330,14 +324,7 @@
"type": "string"
},
"credentials": {
"type": "string",
"defaultInfo": {
"environment": [
"GOOGLE_CREDENTIALS",
"GOOGLE_CLOUD_KEYFILE_JSON",
"GCLOUD_KEYFILE_JSON"
]
}
"type": "string"
},
"dataCatalogCustomEndpoint": {
"type": "string"
Expand Down Expand Up @@ -100697,8 +100684,7 @@
"type": "string"
},
"accessToken": {
"type": "string",
"secret": true
"type": "string"
},
"activeDirectoryCustomEndpoint": {
"type": "string"
Expand Down Expand Up @@ -101201,13 +101187,7 @@
"type": "string"
},
"accessToken": {
"type": "string",
"defaultInfo": {
"environment": [
"GOOGLE_OAUTH_ACCESS_TOKEN"
]
},
"secret": true
"type": "string"
},
"activeDirectoryCustomEndpoint": {
"type": "string"
Expand Down Expand Up @@ -101357,14 +101337,7 @@
"type": "string"
},
"credentials": {
"type": "string",
"defaultInfo": {
"environment": [
"GOOGLE_CREDENTIALS",
"GOOGLE_CLOUD_KEYFILE_JSON",
"GCLOUD_KEYFILE_JSON"
]
}
"type": "string"
},
"dataCatalogCustomEndpoint": {
"type": "string"
Expand Down
31 changes: 31 additions & 0 deletions provider/provider_yaml_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package gcp
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
"testing"
Expand Down Expand Up @@ -564,3 +565,33 @@ func TestRegress1488(t *testing.T) {
}
]`, proj, proj))
}

func TestEnvTokenNotInState(t *testing.T) {
if testing.Short() {
t.Skipf("Skipping in testing.Short() mode, assuming this is a CI run without GCP creds")
}

output, err := exec.Command("gcloud", "auth", "print-access-token").Output()
outputStr := strings.TrimSpace(string(output))
if err != nil {
errMsg := err.(*exec.ExitError).Stderr
t.Fatal(string(errMsg))
}
t.Setenv("GOOGLE_OAUTH_ACCESS_TOKEN", outputStr)
cwd, err := os.Getwd()
require.NoError(t, err)
test := pulumitest.NewPulumiTest(t, filepath.Join("test-programs", "storage-bucket"),
opttest.LocalProviderPath(providerName, filepath.Join(cwd, "..", "bin")),
)
googleProj := os.Getenv("GOOGLE_PROJECT")
if googleProj == "" {
googleProj = testProject
}
test.SetConfig("gcp:config:project", googleProj)

test.Up()
stack := test.ExportStack()
data, err := stack.Deployment.MarshalJSON()
require.NoError(t, err)
require.NotContains(t, string(data), "accessToken")
}
15 changes: 0 additions & 15 deletions provider/resources.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,21 +496,6 @@ func Provider() tfbridge.ProviderInfo {
},
},
},
"access_token": {
Default: &tfbridge.DefaultInfo{
EnvVars: []string{"GOOGLE_OAUTH_ACCESS_TOKEN"},
},
Secret: tfbridge.True(),
},
"credentials": {
Default: &tfbridge.DefaultInfo{
EnvVars: []string{
"GOOGLE_CREDENTIALS",
"GOOGLE_CLOUD_KEYFILE_JSON",
"GCLOUD_KEYFILE_JSON",
},
},
},
},
ExtraConfig: map[string]*tfbridge.ConfigInfo{
"skipRegionValidation": {
Expand Down
4 changes: 2 additions & 2 deletions sdk/dotnet/Config/Config.cs
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 1 addition & 16 deletions sdk/dotnet/Provider.cs
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 2 additions & 18 deletions sdk/go/gcp/config/config.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 0 additions & 17 deletions sdk/go/gcp/provider.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions sdk/java/src/main/java/com/pulumi/gcp/Config.java
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 0 additions & 4 deletions sdk/java/src/main/java/com/pulumi/gcp/Provider.java
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 0 additions & 2 deletions sdk/java/src/main/java/com/pulumi/gcp/ProviderArgs.java
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions sdk/nodejs/config/vars.ts
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 2 additions & 4 deletions sdk/nodejs/provider.ts
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions sdk/python/pulumi_gcp/config/vars.py
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 6918cf0

Please sign in to comment.